Summary Under the proposed Cloud and AI Development Act (CADA), Article 29 would require Member States and Union entities to carry out sovereignty-focused risk assessments that determine the Union assurance level required for public-sector cloud procurement. This differs fundamentally from NIS2 risk management, which focuses on technical cybersecurity resilience rather than geopolitical sovereignty or data autonomy. NIS2 asks entities to manage ICT risks; CADA would ask authorities to map those risks to specific sovereignty tiers (Union assurance levels) to protect public order. CADA is a proposal (COM(2026) 502 final), not yet in force.
Detail
CADA would introduce a distinct regulatory layer for cloud computing that sits alongside, but is functionally separate from, the cybersecurity obligations of the NIS2 Directive. For in-house counsel and compliance officers, understanding the divergence between a CADA sovereignty risk assessment and a NIS2 cybersecurity risk assessment is critical for procurement strategy and operational compliance.
The CADA sovereignty risk assessment (Article 29)
Article 29 of the CADA proposal would establish a mandatory framework for Member States and Union entities to conduct risk assessments. The objective is to identify public-sector activities that contribute to the preservation of public order and to determine the appropriate Union assurance level for the cloud services supporting them.
Specifically, Article 29(1) would require these assessments to:
- Identify public-sector activities that use, or will use, cloud computing services and that contribute to preserving public order in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), as well as in national security, internal security, external border management, defence, justice or law enforcement (including the prevention, investigation, detection and prosecution of criminal offences).
- Determine which Union assurance level (2, 3 or 4) is appropriate for those identified activities.
The methodology, to be specified by the Commission in implementing acts, must take account of at least the following (Article 29(2)):
- The sensitivity, criticality and magnitude of the non-personal data processed, including the potential impact on public order, and the nature, scope, context and purpose of any personal-data processing, with its risks to data subjects' rights and freedoms.
- The risk, and impact on public order, of unlawful access to that data by a third country or a legal entity established in a third country.
- The risk, and impact on public order, of possible service disruption.
Crucially, the output of a CADA risk assessment would be a procurement mandate. If an activity is found to contribute to public order, Article 30(3) requires contracting authorities to procure only cloud services recognised at Union assurance levels 2, 3 or 4. Activities not identified as contributing to public order must use services recognised at Union assurance level 1 (Article 30(2)).
The NIS2 cybersecurity risk assessment
By contrast, the NIS2 Directive (Directive (EU) 2022/2555) focuses on the security of network and information systems. Its risk-management obligations are designed to prevent, detect and respond to cybersecurity incidents, requiring essential and important entities to put in place appropriate technical and organisational measures (Article 21 of NIS2).
NIS2 addresses the technical integrity, confidentiality and availability of systems. It does not establish a framework for sovereign trust or geopolitical autonomy. It does not categorise services by their ownership structure, the jurisdiction of their ultimate controllers, or their exposure to extraterritorial data-access laws (such as the US CLOUD Act).
Key differences in purpose and output
| Feature | CADA Article 29 risk assessment | NIS2 risk management |
|---|---|---|
| Primary focus | Sovereignty, data autonomy, public-order protection | Technical cybersecurity resilience and incident prevention |
| Key risks assessed | Third-country control, extraterritorial data access, service disruption by foreign actors | Cyberattacks, malware, system failures, unauthorised technical access |
| Output | A mandated Union assurance level (1–4) for procurement | Implementation of technical/organisational security measures |
| Applicability | Member States and Union entities (public sector) | Essential and important entities (public and private) |
| Legal basis | CADA Articles 29 and 30 (as proposed) | NIS2 Article 21 |
A cloud service may be technically secure (NIS2-compliant, high cybersecurity standards) yet still fail CADA sovereignty requirements if it is subject to third-country control that could enable unauthorised access or disruption. Conversely, a service may meet sovereignty criteria but still need robust NIS2-compliant security measures.
What this means for you
For in-house counsel and compliance officers — particularly in the public sector or critical-infrastructure sectors — the distinction would have immediate operational consequences.
- Dual compliance. NIS2 compliance would not satisfy CADA. A provider's NIS2 status does not grant it a Union assurance level. You must run the specific Article 29 assessment to determine whether your activities are "public-order" relevant.
- Procurement constraints. If your assessment finds an activity contributes to public order, you would be barred from procuring services that lack recognition at levels 2, 3 or 4 — potentially narrowing your vendor pool, as many global hyperscalers may not currently meet these criteria.
- Deadlines and reporting. Assessments would be due by the date of entry into force plus one year, and thereafter every two years (or whenever necessary) (Article 29(1)). Results must reach the Commission within three months (Article 29(4)). Misaligned procurement could expose entities to enforcement; Article 24 requires Member States to set effective, proportionate and dissuasive penalties.
- Private-sector spillover. Article 29 applies to public entities, but Article 31 lets private entities in NIS2 Annex I sectors carry out similar assessments. These are not yet mandatory for all such entities, but the Commission may, by delegated act, require impact assessments for those in sectors of high criticality (Article 31(3)). Compliance teams should prepare for that possibility.
Common misconceptions
"NIS2 compliance equals sovereignty compliance." Incorrect. NIS2 addresses technical security; CADA addresses geopolitical control and data autonomy. A provider can be technically secure yet still subject to foreign laws that compel disclosure, failing CADA's higher levels.
"Only the highest assurance levels are required." No. Article 29 is meant to be proportionate. Many public services would need only Union assurance level 1; levels 2–4 are reserved for activities identified as contributing to public order in sensitive areas such as defence or justice. The methodology must in particular ensure the highest level is used for the most critical activities, including defence (Article 29(3)).
"Private companies are exempt from sovereignty considerations." Article 29 targets Member States and Union entities, but CADA recognises that private entities in critical sectors face similar risks. Article 31 gives those entities a route to conduct impact assessments, and the Commission may make them mandatory for high-criticality sectors via delegated act.
Related
- CADA public-sector risk assessment vs private-sector impact assessment
- CADA vs NIS2: how do the cloud sovereignty and security rules differ?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA self-assessment vs NCA recognition: how the two paths differ
- CADA self-assessment vs independent audit: which applies to my tier?
This is general information about a draft EU regulation, not legal advice.